aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-12-19T15:05:47Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/845main/udisks: mount USB flash memory as noexec2019-12-19T15:05:47ZAriadne Conillariadne@ariadne.spacemain/udisks: mount USB flash memory as noexecwhile we do have PaX protections, we shouldn’t strictly rely on them to
keep us from being rooted.
consider a user, who has USB flash memory and shouldn’t really be using
your computer. said user could insert USB dongle with precompiled...while we do have PaX protections, we shouldn’t strictly rely on them to
keep us from being rooted.
consider a user, who has USB flash memory and shouldn’t really be using
your computer. said user could insert USB dongle with precompiled
statically linked exploit binary to possibly gain root without any other
access by opening a terminal on the computer.
if we make the USB flash memory noexec, then this cannot happen.
*(from redmine: issue id 845, created on 2011-12-01)*3.11.0Natanael CopaNatanael Copa2012-10-01https://gitlab.alpinelinux.org/alpine/aports/-/issues/2847'lbu diff' does not handle symlinks right2019-07-15T14:13:19ZTimo Teräs'lbu diff' does not handle symlinks rightIt should not derefence the symlinks. Would be preferable to say
“symlink has changed from A to B” or similar, instead of diffing the
dereferenced contents.
This should also fix the errors that come if symlink points to
non-existing fil...It should not derefence the symlinks. Would be preferable to say
“symlink has changed from A to B” or similar, instead of diffing the
dereferenced contents.
This should also fix the errors that come if symlink points to
non-existing file.
*(from redmine: issue id 2847, created on 2014-04-18)*
* Changesets:
* Revision 9cfd35abf9b00914739d3f84255cb440fa683bce by Natanael Copa on 2014-07-28T14:48:17Z:
```
main/busybox: add support for --no-dereference in 'diff'
ref #2847
```
* Revision 5e0bfe298c4ff28f1babb78659d125fd1fff8149 by Natanael Copa on 2014-08-26T12:00:44Z:
```
main/alpine-conf: fix symlink handling with lbu diff
ref #2847
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/5011Make GCC able to compile exe binaries2019-07-15T14:25:28ZFrancesco ColistaMake GCC able to compile exe binariesI know this can be a long-term goal, but might be helpful having GCC
able to compile binaries for windows.
The reason behind this requestes is having openvas-smb built.
But at the same time, there are other packages that would benefi...I know this can be a long-term goal, but might be helpful having GCC
able to compile binaries for windows.
The reason behind this requestes is having openvas-smb built.
But at the same time, there are other packages that would benefit from
this feature (like wmi).
Alpine, since is fast and small, would be a very nice canditate for a
pentesting environment.
<marketing mode>
At the moment, there are already several packages ported for this goal,
and having full openvas suite built might become a killer-app for people
who does pentest.
</marketing mode>
Thanks.
*(from redmine: issue id 5011, created on 2016-01-11)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/5378php7 pecl: XML Extension not found2019-11-19T08:22:39ZAlex Nphp7 pecl: XML Extension not foundHi,
I’m running alpine 3.3 in docker with the testing repo for php7
packages, after installing php7-pear, and trying to run pecl I get a
bunch of warnings/notices :
~ # pecl
Warning: Invalid argument supplied for foreach() in C...Hi,
I’m running alpine 3.3 in docker with the testing repo for php7
packages, after installing php7-pear, and trying to run pecl I get a
bunch of warnings/notices :
~ # pecl
Warning: Invalid argument supplied for foreach() in Command.php on line 249
Warning: Invalid argument supplied for foreach() in /usr/share/php7/PEAR/Command.php on line 249
Notice: Undefined index: honorsbaseinstall in Role.php on line 173
Notice: Undefined index: installable in Role.php on line 139
Notice: Undefined index: phpfile in Role.php on line 204
Notice: Undefined index: config_vars in Role.php on line 46
And if I try to install mongodb for example, I’ll get the same warnings
as before with an extra “XML Extension not found” at the end.
I compared the “/usr/bin/pecl” with one from ubuntu and the only
difference is the “-n” in the exec line :
alpine:
exec $PHP -C -n -q $INCARG -d date.timezone=UTC -d output_buffering=1 -d variables_order=EGPCS -d safe_mode=0 -d register_argc_argv="On" $INCDIR/peclcmd.php "$@"
ubuntu:
exec $PHP -C -q $INCARG -d date.timezone=UTC -d output_buffering=1 -d variables_order=EGPCS -d safe_mode=0 -d register_argc_argv="On" $INCDIR/peclcmd.php "$@"
-n meaning: “No configuration (ini) files will be used”
If not using conf, xml won’t be loaded, so I’m pretty sure the “-n”
should be removed.
I tested after removing it, and got no warning or anything and was able
to install my extension.
*(from redmine: issue id 5378, created on 2016-04-06)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/6070Oscam fails to create newcamd server2019-12-25T08:19:22ZTorbjørn BrekkeOscam fails to create newcamd serverOscam starts up and webif is accessible, but if you configure a newcamd
server it fails to start the newcamd server. This is the error in the
log:
`13:13:22 00000000 s (net) newcamd: Cannot create socket (errno=97: Address family not s...Oscam starts up and webif is accessible, but if you configure a newcamd
server it fails to start the newcamd server. This is the error in the
log:
`13:13:22 00000000 s (net) newcamd: Cannot create socket (errno=97: Address family not supported by protocol)
13:13:22 00000000 s (net) newcamd: Trying fallback to IPv4
13:13:22 00000000 s (net) newcamd: setsockopt(IPV6_V6ONLY) failed (errno=92: Protocol not available)
13:13:22 00000000 s (net) newcamd: Bind request failed (Address family not supported by protocol), waiting another 119 seconds`
This is only a problem on kernels with only IPV4. The simple fix is to
disable IPV6 when compiling Oscam. Unfortunately there is no way to
disable IPV6 in Oscam once it’s compiled in.
To disable it add —disable IPV6SUPPORT when running configure.
*(from redmine: issue id 6070, created on 2016-08-21)*3.11.0Carlo LandmeterCarlo Landmeterhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/7105Package shellcheck2019-09-18T22:41:00ZOliver SmithPackage shellcheckShellCheck tests shell scripts (not limited to bash).
https://github.com/koalaman/shellcheck
I have noted, that there have not been any Haskell programs packaged for
Alpine, and this program has 11 dependencies.
It is already packag...ShellCheck tests shell scripts (not limited to bash).
https://github.com/koalaman/shellcheck
I have noted, that there have not been any Haskell programs packaged for
Alpine, and this program has 11 dependencies.
It is already packaged in Arch Linux and other distributions:
https://www.archlinux.org/packages/community/x86\_64/shellcheck/
Here are the dependencies from the Arch Linux website.
(OK): already packaged in Alpine
\*: already listed as dependency above
depends:
- gmp (OK)
- libffi (OK)
- ghc (OK)
makedepends (11):
- haskell-json
- haskell-mtl
- haskell-syb
- haskell-text
- haskell-mtl\*
- haskell-parsec
- haskell-mtl\*
- haskell-text\*
- haskell-quickcheck
- haskell-random
- haskell-tf-random
- haskell-random\*
- haskell-primitive
- haskell-regex-tdfa
- haskell-mtl\*
- haskell-parsec\*
- haskell-regex-base
- haskell-mtl\*
I may find time to package it myself - is there anything to look out
for, or can I just use the Arch Linux PKGBUILDs and rewrite them to
APKBUILDs?
Would all of them go in one pull-request, or would one make one
pull-request per package?
Thanks.
*(from redmine: issue id 7105, created on 2017-04-09)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/7332Stripping does not work for .a files2019-12-25T08:18:19ZShiz ...Stripping does not work for .a filesIn abuild, automatic debug information separation as done by
default\_dbg() does not separate debug info from static .a libraries,
causing them to bloat in size immensely.
For instance, with the LLVM package, simply adding a $pkgname-d...In abuild, automatic debug information separation as done by
default\_dbg() does not separate debug info from static .a libraries,
causing them to bloat in size immensely.
For instance, with the LLVM package, simply adding a $pkgname-dbg
subpackage causes the llvm4-static package to bloat in size to 1.7GB.
It seems like stripping is also not applied to .a files in general,
leading to probably needless code bloat.
*(from redmine: issue id 7332, created on 2017-05-26)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/7874new package - "go-ipfs"2019-12-05T06:01:21ZSzymon Scholznew package - "go-ipfs"A peer-to-peer hypermedia protocol to make the web faster, safer, and
more open.
https://ipfs.io
implementation in GO language https://github.com/ipfs/go-ipfs
I think its nice idea, even in alpha its stable enough to personal use,
not...A peer-to-peer hypermedia protocol to make the web faster, safer, and
more open.
https://ipfs.io
implementation in GO language https://github.com/ipfs/go-ipfs
I think its nice idea, even in alpha its stable enough to personal use,
not yet in production. Just read and look for the capabilities.
*(from redmine: issue id 7874, created on 2017-09-20)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/8056Kubernetes on armhf2019-07-23T10:35:31ZalgitbotKubernetes on armhfHi,
I am trying to install kubernetes on a raspberry pi running Alpine.
There’s a kubernetes package developed by Francesco Colista, however,
it’s designed to run on X86-64 not arm.
Anybody can help with this issue please?
Regards. ...Hi,
I am trying to install kubernetes on a raspberry pi running Alpine.
There’s a kubernetes package developed by Francesco Colista, however,
it’s designed to run on X86-64 not arm.
Anybody can help with this issue please?
Regards.
Awos Ali
*(from redmine: issue id 8056, created on 2017-10-25)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10136No pdftk package for Alpine 3.92022-10-13T14:22:30ZOtto BretzNo pdftk package for Alpine 3.9It existed in 3.8
https://pkgs.alpinelinux.org/packages?name=pdftk&branch=v3.8
but not in https://pkgs.alpinelinux.org/packages?name=pdftk&branch=v3.9
I can’t use the edge package since it links against libc:
ERROR: unsatisfiable ...It existed in 3.8
https://pkgs.alpinelinux.org/packages?name=pdftk&branch=v3.8
but not in https://pkgs.alpinelinux.org/packages?name=pdftk&branch=v3.9
I can’t use the edge package since it links against libc:
ERROR: unsatisfiable constraints: so:libgcj.so.17 (missing): required by: pdftk-2.02-r1[so:libgcj.so.17]
The command '/bin/sh -c apk add --no-cache --repository http://dl-cdn.alpinelinux.org/alpine/edge/community pdftk' returned a non-zero code: 2
Ive emailed the maintainer but did not get any reply. Is there any
chance of getting a 3.9 version?
*(from redmine: issue id 10136, created on 2019-03-19)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10235ossec-hids: several issues2019-07-23T11:12:01ZMiguel Da Silvaossec-hids: several issuesThere are several issues with the ossec-hids package:
1. Currently only the installation type ‘server’ is supported. In
addition, the installation types ‘agent’ and ‘local’ should also be
supported.
In the attached patch we added supp...There are several issues with the ossec-hids package:
1. Currently only the installation type ‘server’ is supported. In
addition, the installation types ‘agent’ and ‘local’ should also be
supported.
In the attached patch we added support for the agent type.
However, to get it working, the following parameter in APKBUILD needs to
be changed:
export USER\_INSTALL\_TYPE=agent
It is suggested to create several separate (sub-)packages for the agent
and server, such as ossec-server and ossec-agent (local is imho not
needed)
2. The source directory contains several old patch files which are not
used anymore.
In the attached patch we removed these files
3. The ossec users (ossec, ossecm, ossecr) are currently created with
the default shell /bin/false. However, the common no-login shell in
Alpine Linux seems to be /sbin/nologin
The attached patch contains this change
4. Ossec is installed in a chroot under /var/ossec, the configuration
files are stored in /var/ossec/etc. It seems that these configuration
files in /var/ossec/etc are overwritten during the upgrade. They should
be preserved and addressed with ‘update-conf’
5. The file /var/ossec/etc/ossec.conf contains wrong path definitions,
such as
<rootkit_files>/var/buildserver/aports/testing/ossec-hids/pkg/ossec-hids/var/ossec/etc/shared/rootkit\_files.txt</rootkit_files>
correct would be:
<rootkit_files>/var/ossec/etc/shared/rootkit\_files.txt</rootkit_files>
*(from redmine: issue id 10235, created on 2019-04-13, closed on 2019-07-11)*
* Changesets:
* Revision 841a0b258509a745b79e279404ec092f5d50385c by Francesco Colista on 2019-07-09T07:11:42Z:
```
testing/ossec-hids: added agent, updated APKBUILD, fixes #10235
```
* Uploads:
* [0001-add-support-for-ossec-agents-and-remove-old-patch-fi.patch](/uploads/2717cb93557f7affd21d813856b190e3/0001-add-support-for-ossec-agents-and-remove-old-patch-fi.patch)3.11.0Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10258Nginx init-script not working when /var/tmp is bind-mounted to /tmp2019-07-12T15:46:45ZMiguel Da SilvaNginx init-script not working when /var/tmp is bind-mounted to /tmpThe nginx init script requires an existing directory /var/tmp/nginx.
In case the /var/tmp directory is bind-mounted to /tmp and therefore
wiped on each reboot, nginx refuses to start.
It is suggested to create the missing directory in...The nginx init script requires an existing directory /var/tmp/nginx.
In case the /var/tmp directory is bind-mounted to /tmp and therefore
wiped on each reboot, nginx refuses to start.
It is suggested to create the missing directory in case it is not there
yet.
See the proposal in the attached patch file
*(from redmine: issue id 10258, created on 2019-04-15, closed on 2019-06-03)*
* Relations:
* relates #9364
* Changesets:
* Revision 8ded1028a7bcdabc411b39367920a61f7919fdd6 by Natanael Copa on 2019-06-21T10:20:45Z:
```
Revert "main/nginx: move /var/lib/nginx/tmp to /var/tmp/nginx"
FHS-3.0 says that /var/tmp should survive reboots, but for it is common
practice to ignore FHS for security reasons and wipe dirs that are world
writable.
There is no good reason to store nginx data under a world writable
directory, so move it back to /var/lib/nginx/tmp. Other distros does
something similar.
fixes #9246
fixes #10258
ref #9364
This reverts commit d6d624a149ca62af8679baf9cc99ce1354c190f0.
```
* Uploads:
* [0001-nginx-missing-directory.patch](/uploads/cb4568118481ecf44c8122d6a75133f3/0001-nginx-missing-directory.patch)3.11.0Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10581Upgrade MPFR2019-12-19T14:56:24ZalgitbotUpgrade MPFRMPFR is on version 4.0.2 but Alpine still uses 3.1.5.
Would be good to update the version for Alpine 3.10 release
*(from redmine: issue id 10581, created on 2019-06-15)*MPFR is on version 4.0.2 but Alpine still uses 3.1.5.
Would be good to update the version for Alpine 3.10 release
*(from redmine: issue id 10581, created on 2019-06-15)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10586udhcpc default config missing in minirootfs - no IPv4 connectivity2020-07-08T11:35:17ZTaylor Buchananudhcpc default config missing in minirootfs - no IPv4 connectivityI’ve been messing around with using minirootfs as a base for lxc with
s6. However, IPv4 connectivity doesn’t seem to work by default (not
setting IP on interface). I was able to get it working by copying
/usr/share/udhcpc/default.script ...I’ve been messing around with using minirootfs as a base for lxc with
s6. However, IPv4 connectivity doesn’t seem to work by default (not
setting IP on interface). I was able to get it working by copying
/usr/share/udhcpc/default.script from the main alpine lxc image.
The default config currently resides in busybox-initscripts which is not
deployed on minirootfs since it has primarily been focused around
Docker. After a brief chat with Natanael on IRC he said it might be
better located in the busybox package. I agree in this case since
minirootfs is targeted towards containers and LXC on Proxmox can be
configured to use DHCP.
*(from redmine: issue id 10586, created on 2019-06-18)*3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10589[3.11] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)2019-07-23T11:06:49ZAlicha CH[3.11] samba: Multiple vulnerabilities (CVE-2019-12435, CVE-2019-12436)CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facili...CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
----------------------------------------------------------------------------------
The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.
An authenticated user can crash the RPC server process via a NULL
pointer de-reference.
There is no further vulnerability associated with this issue, merely a
denial of service.
### Affected Versions:
Samba 4.9 and 4.10
### Fixed In Version:
Samba 4.9.9 and 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12435.html
https://www.samba.org/samba/history/security.html
### Patches:
https://download.samba.org/pub/samba/patches/security/samba-4.9.8-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
CVE-2019-12436: Samba AD DC LDAP server crash (paged searches)
--------------------------------------------------------------
A user with read access to the LDAP server can crash the LDAP
server process. Depending on the Samba version and the choice
of process model, this may crash only the user’s own connection.
Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change
this.
Samba 4.10 also supports the ‘prefork’ process model and by
using the -M option to ‘samba’ and a ‘single’ process model.
Both of these share on process between multiple clients.
### Affected Versions:
All versions of Samba since Samba 4.10.0
### Fixed In Version:
Samba 4.10.5
### References:
https://www.samba.org/samba/security/CVE-2019-12436.html
### Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
*(from redmine: issue id 10589, created on 2019-06-20, closed on 2019-06-21)*
* Relations:
* parent #10588
* Changesets:
* Revision bcc49b4c70d8234ad73c32628b01f58554ec5b5e on 2019-06-20T08:09:34Z:
```
main/samba: security upgrade to 4.10.5
CVE-2019-12435
CVE-2019-12436
fixes #10589
```
* Revision a80d49fcecdaa5350d709fc4e9b5d71716661eb7 on 2019-06-20T08:43:16Z:
```
main/samba: security upgrade to 4.10.5
CVE-2019-12435
CVE-2019-12436
fixes #10589
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10601[3.11] firefox-esr: sandbox escape using Prompt:Open (CVE-2019-11708)2019-07-24T09:55:29ZAlicha CH[3.11] firefox-esr: sandbox escape using Prompt:Open (CVE-2019-11708)Insufficient vetting of parameters passed with the \`Prompt:Open\`
IPC message between child and parent processes can result in the
non-sandboxed
parent process opening web content chosen by a compromised child
process.
When combin...Insufficient vetting of parameters passed with the \`Prompt:Open\`
IPC message between child and parent processes can result in the
non-sandboxed
parent process opening web content chosen by a compromised child
process.
When combined with additional vulnerabilities
this could result in executing arbitrary code on the user’s computer.
### Fixed In Version:
Firefox ESR 60.7.2
### Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
*(from redmine: issue id 10601, created on 2019-06-21, closed on 2019-06-28)*
* Relations:
* parent #10600
* Changesets:
* Revision ed5e768abd1db57117bb63de5dcff4da11d0576e on 2019-06-27T14:41:49Z:
```
community/firefox-esr: security upgrade to 60.7.2 (CVE-2019-11708)
fixes #10601
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10605OpenSMTPd 6.4.x2019-12-05T07:45:11ZKévin GuignardOpenSMTPd 6.4.xOpenSMTPd package is already available, but not the latest version
**6.4.1** *<span lang="1"></span>*.
However since **6.4.0** *<span lang="2"></span>* the configuration file
syntax has been completely reworked, breaking compatibility w...OpenSMTPd package is already available, but not the latest version
**6.4.1** *<span lang="1"></span>*.
However since **6.4.0** *<span lang="2"></span>* the configuration file
syntax has been completely reworked, breaking compatibility with
previous configuration files
and OpenSMTPD now depends on LibreSSL as an SSL library (efforts will no
longer be done to support OpenSSL too).
Do you plan to provide OpenSMTPd, maybe in a new package
“opensmtpd-6.4”, with the new features (including the incoming ECDSA
support) ?
*<span lang="1"></span>*
https://www.opensmtpd.org/announces/release-6.4.1.txt
*<span lang="2"></span>*
https://www.opensmtpd.org/announces/release-6.4.0.txt
*(from redmine: issue id 10605, created on 2019-06-23)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10616[3.11] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE...2019-07-23T11:06:40ZAlicha CH[3.11] libvirt: Multiple vulnerabilities (CVE-2019-10161, CVE-2019-10166, CVE-2019-10167, CVE-2019-10168)CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDo...CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which
would be accessed with the permissions of the libvirtd process. An
attacker with access to the libvirtd socket could use this to probe
the
existence of arbitrary files, cause denial of service or cause
libvirtd
to execute arbitrary programs.
This vulnerability was first present in libvirt v0.9.4.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10161
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10161
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580
CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients
-----------------------------------------------------------------------------
It was discovered that libvirtd would permit readonly clients to use
the
virDomainManagedSaveDefineXML() API, which would permit them to modify
managed save state files. If a managed save had already been created
by
a privileged user, a local attacker could modify this file such that
libvirtd would execute an arbitrary program when the domain was resumed.
This vulnerability was first present in libvirt v3.6.1.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10166
https://security-tracker.debian.org/tracker/CVE-2019-10166
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=db0b78457f183e4c7ac45bc94de86044a1e2056a
CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API
-----------------------------------------------------------------------------------
The virConnectGetDomainCapabilities() libvirt API accepts an
“emulatorbin”
argument to specify the program providing emulation for a domain.
Since
v1.2.19, libvirt will execute that program to probe the domain’s
capabilities. Read-only clients could specify an arbitrary path for
this
argument, causing libvirtd to execute a crafted executable with its own
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://security-tracker.debian.org/tracker/CVE-2019-10167
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=8afa68bac0cf99d1f8aaa6566685c43c22622f26
CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs
-----------------------------------------------------------------------------------------------------------------------
The virConnectBaselineHypervisorCPU() and
virConnectCompareHypervisorCPU()
libvirt APIs accept an “emulator” argument to specify the program
providing
emulation for a domain. Since v1.2.19, libvirt will execute that program
to
probe the domain’s capabilities. Read-only clients could specify an
arbitrary
path for this argument, causing libvirtd to execute a crafted executable
with
its own privileges.
### Fixed In Version:
libvirt 4.10.1, libvirt 5.4.1
### References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2019-10168
https://security-tracker.debian.org/tracker/CVE-2019-10168
### Patch:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291
*(from redmine: issue id 10616, created on 2019-06-25, closed on 2019-07-04)*
* Relations:
* parent #106153.11.0Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10622[3.11] evince: uninitialized memory use in function tiff_document_render() an...2019-07-23T11:06:33ZAlicha CH[3.11] evince: uninitialized memory use in function tiff_document_render() and tiff_document_get_thumbnail() (CVE-2019-11459)The tiff\_document\_render() and tiff\_document\_get\_thumbnail()
functions in the TIFF document backend in GNOME Evince through 3.32.0
did
not handle errors from TIFFReadRGBAImageOriented(), leading to
uninitialized memory use when pr...The tiff\_document\_render() and tiff\_document\_get\_thumbnail()
functions in the TIFF document backend in GNOME Evince through 3.32.0
did
not handle errors from TIFFReadRGBAImageOriented(), leading to
uninitialized memory use when processing certain TIFF image files.
### Reference:
https://gitlab.gnome.org/GNOME/evince/issues/1129
### Patch:
https://gitlab.gnome.org/GNOME/evince/commit/234f034a4d15cd46dd556f4945f99fbd57ef5f15
*(from redmine: issue id 10622, created on 2019-06-25, closed on 2019-07-09)*
* Relations:
* parent #10621
* Changesets:
* Revision 21b65c26f6a56dd83992ba9783befc0455e3bdb0 by Natanael Copa on 2019-07-08T12:20:43Z:
```
community/evince: fix CVE-2019-11459
remove unused patch
fixes #10622
```3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10626[3.11] bind: Race condition when discarding malformed packets can cause bind ...2019-08-08T10:00:24ZAlicha CH[3.11] bind: Race condition when discarding malformed packets can cause bind to exit with assertion failure (CVE-2019-6471)A race condition which may occur when discarding malformed packets can
result in BIND exiting due to a REQUIRE assertion failure in
dispatch.c.
An attacker who can cause a resolver to perform queries which will be
answered by a server ...A race condition which may occur when discarding malformed packets can
result in BIND exiting due to a REQUIRE assertion failure in
dispatch.c.
An attacker who can cause a resolver to perform queries which will be
answered by a server which responds with deliberately malformed
answers
can cause named to exit, denying service to clients.
### Versions affected:
BIND 9.11.0 ->9.11.7, 9.12.0 ->9.12.4-P1, 9.14.0 ->9.14.2.
Also all releases of the BIND 9.13 development branch and
version 9.15.0 of the BIND 9.15 development branch. BIND Supported
Preview Edition versions 9.11.3-S1 ->9.11.7-S1.
### Fixed In Version:
bind 9.11.8, bind 9.12.4-P2, bind 9.14.3, bind 9.15.1
### References:
https://kb.isc.org/docs/cve-2019-6471
*(from redmine: issue id 10626, created on 2019-06-27)*3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10643[3.11] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)2019-07-23T11:06:20ZAlicha CH[3.11] bzip2: out-of-bounds write in function BZ2_decompress (CVE-2019-12900)BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-1...BZ2\_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds
write when there are many selectors.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-12900
https://security-tracker.debian.org/tracker/CVE-2019-12900
### Patch:
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
*(from redmine: issue id 10643, created on 2019-07-02, closed on 2019-07-09)*
* Relations:
* parent #10642
* Changesets:
* Revision 53b02f8b1597aabb4ec836bb5aa421e0d1f95189 on 2019-07-04T15:37:46Z:
```
main/bzip2: add patch for CVE-2019-12900
Adding the upstream bzip2 security patch to fix the out of bounds security
vulnerability in bzip2.
fixes #10643
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10654[3.11] irssi: Use after free when sending SASL login to the server (CVE-2019-...2019-07-23T11:06:11ZAlicha CH[3.11] irssi: Use after free when sending SASL login to the server (CVE-2019-13045)Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/sec...Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when
SASL is enabled,
has a use after free when sending SASL login to the server.
### Fixed In Version:
Irssi 1.0.8, 1.1.3, 1.2.1
### References:
https://irssi.org/security/irssi\_sa\_2019\_06.txt
https://www.openwall.com/lists/oss-security/2019/06/29/1
*(from redmine: issue id 10654, created on 2019-07-04, closed on 2019-07-04)*
* Relations:
* parent #10653
* Changesets:
* Revision a95d7efded7650a16db9f1cfa01e95bc5513cf83 by Natanael Copa on 2019-07-04T10:36:31Z:
```
main/irssi: security upgrade to 1.2.1 (CVE-2019-13045)
fixes #10654
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10665[3.11] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-1...2019-07-16T11:21:56ZAlicha CH[3.11] squid: XSS via user_name or auth parameter in cachemgr.cgi (CVE-2019-13345)The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue...The cachemgr.cgi web module of Squid through 4.7 has
XSS via the user\_name or auth parameter.
### References:
https://bugs.squid-cache.org/show\_bug.cgi?id=4957
https://github.com/squid-cache/squid/pull/429
*(from redmine: issue id 10665, created on 2019-07-09)*
* Relations:
* parent #10664
* Changesets:
* Revision 1bd365a6732f045db6dd96f516dec5764f0c8c57 by Natanael Copa on 2019-07-11T16:35:18Z:
```
main/squid: upgrade to 4.8
fixes #10665
```3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10717Getting rid of main/jasper2019-08-21T11:56:46ZRasmus Thomsenoss@cogitri.devGetting rid of main/jasperJasper has had a lot of CVEs in recent days and the dev doesn't have enough time for the project anymore, lots of other distros have dropped it due to that reason.[1] It'd be nice if we could do the same.
Packages which need to be chang...Jasper has had a lot of CVEs in recent days and the dev doesn't have enough time for the project anymore, lots of other distros have dropped it due to that reason.[1] It'd be nice if we could do the same.
Packages which need to be changed:
### main
- [x] ghostscript
### community
- [x] qt5-qtimageformats
- [x] gegl (CC @ncopa)
- [x] graphicsmagick (CC @fcolista)
### testing
- [x] openimageio
- [x] openscenegraph
1: https://github.com/mdadams/jasper/issues/2083.11.0Rasmus Thomsenoss@cogitri.devRasmus Thomsenoss@cogitri.devhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10733Moving GNOME to community2019-10-12T10:05:36ZRasmus Thomsenoss@cogitri.devMoving GNOME to communityAlthough I'm a bit unsure if others are invested in this (I think at least PmOS people are though), I thought it might be worth laying out a short overview of how I plan to move GNOME into community
1. Wait for GNOME 3.34, which will be...Although I'm a bit unsure if others are invested in this (I think at least PmOS people are though), I thought it might be worth laying out a short overview of how I plan to move GNOME into community
1. Wait for GNOME 3.34, which will be released in September. It brings along a bunch of improvements, so I think it's worth waiting for it
2. Move core GNOME packages to community. Some are already in community (e.g. gnome-desktop), while others like mutter and gnome-shell aren't. The first batch of moved packages should just be core ones.
3. Slowly move over non-core packages (e.g. gnome-maps and friends) to community once they're ready, but before due date.
4. Move gnome metapackage to community & add missing applications to it
CC: @PureTryOut3.11.0Rasmus Thomsenoss@cogitri.devRasmus Thomsenoss@cogitri.dev2019-10-31https://gitlab.alpinelinux.org/alpine/aports/-/issues/10933use composer to build roundcubemail2019-12-18T19:52:03ZAndy Postnikovuse composer to build roundcubemailthere's pear-php packages like [community/php7-pear-net_smtp](https://pkgs.alpinelinux.org/package/edge/community/x86_64/php7-pear-net_smtp) which looks not used anymore
Ref https://github.com/roundcube/roundcubemail/wiki/Installation#...there's pear-php packages like [community/php7-pear-net_smtp](https://pkgs.alpinelinux.org/package/edge/community/x86_64/php7-pear-net_smtp) which looks not used anymore
Ref https://github.com/roundcube/roundcubemail/wiki/Installation#install-dependencies3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/10937wget included in alpine / busybox does not support IPv62019-12-11T08:18:18ZNico Schotteliuswget included in alpine / busybox does not support IPv6I was trying to download something from github, which is IPv4 only. The network provides DNS entries AAAA for github (so called DNS64) and wget should try to retrieve files via IPv6. However the result is that wget only tries IPv4:
```
...I was trying to download something from github, which is IPv4 only. The network provides DNS entries AAAA for github (so called DNS64) and wget should try to retrieve files via IPv6. However the result is that wget only tries IPv4:
```
Connecting to github.com (140.82.118.3:443)
wget: can't connect to remote host (140.82.118.3): Network unreachable
```
This breaks Alpine on IPv6 only systems with DNS64/NAT64, which tend to become more common.
I assume there is a busybox config / file for enabling IPv6 - if you can point me to the config, I can make a merge request with the required change.3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11020v3.11 rc1: /etc/update-extlinux.conf still "vanilla"2019-12-12T13:05:22ZChristian Dietrichv3.11 rc1: /etc/update-extlinux.conf still "vanilla"```
# default
# default kernel to boot
default=vanilla
```
That should probably be "lts" (or not?)```
# default
# default kernel to boot
default=vanilla
```
That should probably be "lts" (or not?)3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11021v3.11 rc1: apk add linux-firmware-ath10k purges packages2019-12-11T17:09:15ZChristian Dietrichv3.11 rc1: apk add linux-firmware-ath10k purges packages```
localhost:~# apk add linux-firmware-ath10k
(1/84) Purging linux-firmware (20191022-r0)
....
(84/84) Purging linux-firmware-other (20191022-r0)
OK: 286 MiB in 66 packages
```
```
localhost:~# apk del linux-firmware-ath10k
World updat...```
localhost:~# apk add linux-firmware-ath10k
(1/84) Purging linux-firmware (20191022-r0)
....
(84/84) Purging linux-firmware-other (20191022-r0)
OK: 286 MiB in 66 packages
```
```
localhost:~# apk del linux-firmware-ath10k
World updated, but the following packages are not removed due to:
linux-firmware-ath10k: linux-firmware linux-lts
(1/84) Installing linux-firmware-yamaha (20191022-r0)
....
(84/84) Installing linux-firmware (20191022-r0)
OK: 758 MiB in 150 packages
```
This seems to be wrong3.11.0Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/11036Touchpad issues on AMD Chromebook-class laptops: fix (linux-lts)2019-12-18T08:44:54ZRupert CarmichaelTouchpad issues on AMD Chromebook-class laptops: fix (linux-lts)I have fixed detection of the touchpad on my laptop by enabling the following kernel config options:
```
CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_PINCTRL_AMD=y
```
As this is my first ever contribution to Alpine, I am unaware of what conv...I have fixed detection of the touchpad on my laptop by enabling the following kernel config options:
```
CONFIG_X86_AMD_PLATFORM_DEVICE=y
CONFIG_PINCTRL_AMD=y
```
As this is my first ever contribution to Alpine, I am unaware of what conventions are in place to have this change made, should it be considered an acceptable change. I am more than happy to create a merge request if that is preferred; please inform. Thank you!3.11.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/11055net-snmp-5.8: broken ErrorMsg at ucd-snmp2019-12-19T14:58:11ZJoao Vitor Arrudanet-snmp-5.8: broken ErrorMsg at ucd-snmpNo error messages at UCD-SNMP-MIB::prErrMessage in net-snmp 5.8 (Alpine 3.9, 3.10 and edge).
It works fine in nt-snmp 5.7.3 (Alpine 3.8, 3.7)
Steps to reproduce with a configuration to monitor a process:
```
rocommunity public
proc snm...No error messages at UCD-SNMP-MIB::prErrMessage in net-snmp 5.8 (Alpine 3.9, 3.10 and edge).
It works fine in nt-snmp 5.7.3 (Alpine 3.8, 3.7)
Steps to reproduce with a configuration to monitor a process:
```
rocommunity public
proc snmpd
```
Query proc error messages in Alpine <= 3.8:
```
snmpwalk -v 2c -c public localhost UCD-SNMP-MIB::prErrMessage
UCD-SNMP-MIB::prErrMessage.1 = STRING:
```
Query proc error messages in Alpine >= 3.9:
```
snmpwalk -v 2c -c public localhost UCD-SNMP-MIB::prErrMessage
UCD-SNMP-MIB::prErrMessage = No Such Instance currently exists at this OID
```
It seems to be related with this upstream bug: https://github.com/net-snmp/net-snmp/issues/263.11.0Leonardo ArenaLeonardo Arena